On Wed, Aug 18, 2010 at 07:46:37PM +0200, Peter Palfrader wrote: > On Wed, 18 Aug 2010, Iustin Pop wrote: > > > First, thanks for reporting this. But I cannot reproduce this on > > unstable (in a clean pbuilder chroot), since the python-setuptools > > is new enough (for sid). > > > > While the behaviour of stable builds is not good (and the versioned > > dependency is incorrect), I don't think it warrants an RC status for > > this bug, as it doesn't affect sid/testing. > > > Please explain why you think this is RC... My proposal would be degrade to > > important, while I try to convince setuptools to do the right thing. > > I think debian packages, and that includes their source, should be > secure by default. If trying to build a package in a slightly different > environment suddenly starts to do insanely insecure things then that'd a > bug. Failing to build is fine, downloading code from the net and then > running it without any kind of verification probably isn't.
Totally agreed. > It might not be something we can fix for this release, but I think this > is a significant security bug in the source package. Unfortunately, my first investigation show that this is a generic problem with setuptools, and with not easy disabling. So while a correct dependency will work around the automatic download, I'm not sure it's possible to ensure that the download code will not be called in face of weird situations. regards, iustin
signature.asc
Description: Digital signature
